Cisco network kit warning: Watch out for malware in the firmware

Someone's reverse-engineered ROMMON to craft an admin-level attack

Cisco has warned users to watch out who's got admin access to kit, because it's seen malicious ROM images in the wild.

The problem is that this isn't something the Borg can just issue a patch for. Admins – with appropriate credentials, naturally – need to be able to drop new ROM images on their kit as a matter of course.

"The ability to install an upgraded ROMMON image on IOS devices is a standard, documented feature that administrators use to manage their networks", Cisco says.

In its advisory, the company says "Cisco has observed a limited number of cases where attackers, after gaining administrative or physical access to a Cisco IOS device, replaced the Cisco IOS ROMMON (IOS bootstrap) with a malicious ROMMON image".

ROMMON is the IOS bootstrap, so replacing it means the attacker can "manipulate device behaviour", and if the owner doesn't know there's a malicious image, it will persist beyond a reboot.

It doesn't take a fevered imagination to suggest a pretty sophisticated actor is involved here. Someone needed the skills to reverse-engineer ROMMON, and the resources to suborn sysadmins into installing the malicious image into their networks.

"In all cases seen by Cisco, attackers accessed the devices using valid administrative credentials", the note states, meaning someone back-tracked the attack to the admin account used. ®